I am new to the forum and new to PHP and Mysql too.
I have an application that displays all records to only logged in users but I want to display only the records for the logged in user.
I have a class called session that holds the username of the logged in user. This class starts the session in all pages. All user records have a field called userid.
How can I ensure that only the logged in users records are displayed? I was thinking that modifying the sql statement was the answer but I am unsure of how to do this.
Here is the code that I think I need to change to achieve this.
Code: Select all
include("session.php");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<title>Property View</title>
<?
if($session->logged_in){
echo "Logged In";
echo "Welcome <b>$session->username</b>, you are logged in. <br><br>";
}
?>
<?php
include("./language.php");
include("./lib.php");
include("./property_dml.php");
$x = new DataList;
if($HTTP_POST_VARS["Filter_x"] != "" || $HTTP_POST_VARS['CSV_x'] != "")
{
// Query used in filters page and CSV output
$x->Query = "select property.propcode as 'Property Code', property.your_ref as 'Your Reference', property.rec_status as 'Status', property.prop_type as 'Type', property.message as 'SMS Text Message' from property";
}
else
{
// Query used in table view
$x->Query = "select property.propcode as 'Property Code', property.your_ref as 'Your Reference', property.rec_status as 'Status', property.prop_type as 'Type' from property";
}
$x->DataHeight = 150;
$x->AllowSelection = 1;
$x->AllowDelete = 0;
$x->AllowInsert = 0;
$x->AllowUpdate = 1;
$x->AllowFilters = 1;
$x->AllowSavingFilters = 0;
$x->AllowSorting = 1;
$x->AllowNavigation = 1;
$x->AllowPrinting = 1;
$x->AllowCSV = 1;
$x->HideTableView = 0;
$x->RecordsPerPage = 10;
$x->QuickSearch = 1;
$x->QuickSearchText = $Translation["quick search"];
$x->ScriptFileName = "property_view.php";
$x->TableTitle = "Property";
$x->PrimaryKey = "property.id";
$x->ColWidth[] = 150;
$x->ColWidth[] = 150;
$x->ColWidth[] = 150;
$x->ColWidth[] = 150;
$x->Render();
// include("./header.php");
echo $x->HTML;
// include("./footer.php");
?>Code: Select all
<?php
// Data functions for table property
function insert()
{
global $HTTP_SERVER_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_POST_FILES, $Translation;
if(get_magic_quotes_gpc())
{
$propcode = $HTTP_POST_VARS["propcode"];
$your_ref = $HTTP_POST_VARS["your_ref"];
$rec_status = $HTTP_POST_VARS["rec_status"];
$prop_type = $HTTP_POST_VARS["prop_type"];
$message = $HTTP_POST_VARS["message"];
$contact = $HTTP_POST_VARS["contact"];
$userid = $HTTP_POST_VARS["userid"];
}
else
{
$propcode = addslashes($HTTP_POST_VARS["propcode"]);
$your_ref = addslashes($HTTP_POST_VARS["your_ref"]);
$rec_status = addslashes($HTTP_POST_VARS["rec_status"]);
$prop_type = addslashes($HTTP_POST_VARS["prop_type"]);
$message = addslashes($HTTP_POST_VARS["message"]);
$contact = addslashes($HTTP_POST_VARS["contact"]);
$userid = addslashes($HTTP_POST_VARS["userid"]);
}
$image = PrepareUploadedFile("image", 100000);
sql("insert into property (your_ref, rec_status, prop_type, message, contact, image) values (" . (($your_ref != "") ? "'$your_ref'" : "NULL") . ", " . (($rec_status != "") ? "'$rec_status'" : "NULL") . ", " . (($prop_type != "") ? "'$prop_type'" : "NULL") . ", " . (($message != "") ? "'$message'" : "NULL") . ", " . (($contact != "") ? "'$contact'" : "NULL") . ", " . (($image != "") ? "'$image'" : "NULL") . ")");
return mysql_insert_id();
}
function delete($selected_id)
{
// insure referential integrity ...
global $Translation;
sql("delete from property where id='$selected_id'");
}
function update($selected_id)
{
global $HTTP_SERVER_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $Translation;
if(get_magic_quotes_gpc())
{
$propcode = $HTTP_POST_VARS["propcode"];
$your_ref = $HTTP_POST_VARS["your_ref"];
$rec_status = $HTTP_POST_VARS["rec_status"];
$prop_type = $HTTP_POST_VARS["prop_type"];
$message = $HTTP_POST_VARS["message"];
$contact = $HTTP_POST_VARS["contact"];
$userid = $HTTP_POST_VARS["userid"];
}
else
{
$propcode = addslashes($HTTP_POST_VARS["propcode"]);
$your_ref = addslashes($HTTP_POST_VARS["your_ref"]);
$rec_status = addslashes($HTTP_POST_VARS["rec_status"]);
$prop_type = addslashes($HTTP_POST_VARS["prop_type"]);
$message = addslashes($HTTP_POST_VARS["message"]);
$contact = addslashes($HTTP_POST_VARS["contact"]);
$userid = addslashes($HTTP_POST_VARS["userid"]);
}
if($HTTP_POST_VARS['image_remove'] == 1){
$image = "";
}else{
$image = PrepareUploadedFile("image", 100000);
}
sql("update property set " . "your_ref=" . (($your_ref != "") ? "'$your_ref'" : "NULL") . ", " . "rec_status=" . (($rec_status != "") ? "'$rec_status'" : "NULL") . ", " . "prop_type=" . (($prop_type != "") ? "'$prop_type'" : "NULL") . ", " . "message=" . (($message != "") ? "'$message'" : "NULL") . ", " . "contact=" . (($contact != "") ? "'$contact'" : "NULL") . ", " . ($image!="" ? "image='$image'" : ($HTTP_POST_VARS['image_remove'] != 1 ? "image=image" : "image=NULL")) . " where id='$selected_id'");
}
function form($selected_id = "", $AllowUpdate = 1, $AllowInsert = 1, $AllowDelete = 1)
{
// function to return an editable form for a table records
// and fill it with data of record whose ID is $selected_id. If $selected_id
// is empty, an empty form is shown, with only an 'Add New'
// button displayed.
global $Translation;
if(!$AllowInsert && $selected_id==""){ return ""; }
$code = "<br><table border=1 bordercolor=navy cellpadding=0 cellspacing=0><tr><td><div class=TableTitle>Detail View</div></td></tr><tr><td><table>";
$code .= "\n\t<tr><td colspan=2></td><td rowspan=7 valign=top>";
if($AllowInsert)
$code .= "<div><input type=image src=insert.gif name=insert alt='" . $Translation["add new record"] . "'></div>";
// combobox: rec_status
$combo_rec_status = new Combo;
$combo_rec_status->ListItem = explode(";;", " ;;Active;;Inactive");
$combo_rec_status->ListData = explode(";;", " ;;Active;;Inactive");
$combo_rec_status->SelectName = "rec_status";
// combobox: prop_type
$combo_prop_type = new Combo;
$combo_prop_type->ListItem = explode(";;", "Sale;;Rental;;Auction;;Commercial;;Other");
$combo_prop_type->ListData = explode(";;", "Sale;;Rental;;Auction;;Commercial;;Other");
$combo_prop_type->SelectName = "prop_type";
if($selected_id)
{
$res = sql("select * from property where id='$selected_id'");
$row = mysql_fetch_array($res);
$combo_rec_status->SelectedData = $row["rec_status"];
$combo_prop_type->SelectedData = $row["prop_type"];
$code .= "<br>";
if($AllowUpdate)
$code .= "<div><input type=image src=update.gif vspace=1 name=update alt='" . $Translation["update record"] . "'></div>";
if($AllowDelete)
$code .= "<div><input type=image src=delete.gif vspace=1 name=delete alt='" . $Translation["delete record"] . "' onclick='return confirm(\"" . $Translation["are you sure?"] . "\");'></div>";
$code .= "<div><input type=image src=deselect.gif vspace=1 name=deselect alt='" . $Translation["deselect record"] . "'></div>";
}
$combo_rec_status->Render();
$combo_prop_type->Render();
$code .= "</td></tr>";
// Detail view form fields
/* $code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>ID</div></td><td class=TableBody width=300>" . $row['id'] . " </td></tr>";
*/ $code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Property Code</div></td><td class=TableBody width=300>" . $row['propcode'] . " </td></tr>";
$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Your Reference</div></td><td class=TableBody width=300><textarea class=TextBox name=your_ref cols=50 rows=4>" . htmlspecialchars($row["your_ref"], ENT_QUOTES) . "</textarea> </td></tr>";
$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Status</div></td><td class=TableBody width=300>$combo_rec_status->HTML </td></tr>";
$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Type</div></td><td class=TableBody width=300>$combo_prop_type->HTML </td></tr>";
$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>SMS Text Message</div></td><td class=TableBody width=300><textarea class=TextBox name=message cols=50 rows=4>" . htmlspecialchars($row["message"], ENT_QUOTES) . "</textarea> </td></tr>";
$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Contact</div></td><td class=TableBody width=300><textarea class=TextBox name=contact cols=50 rows=3>" . htmlspecialchars($row["contact"], ENT_QUOTES) . "</textarea> </td></tr>";
$code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Image</div></td><td class=TableBody width=300>";
if($row["image"]) $code .= "<img src=" . $Translation['ImageFolder'] . $row['image'] . " border=0>";
$code .= "<input type=hidden name=MAX_FILE_SIZE value=100000>";
$code .= "<br>" . $Translation["upload image"] . " <input type=file name=\"image\" class=TextBox>";
if($AllowUpdate && $row["image"]!=""){
// Comment the line below to hide the 'Remove image' checkbox
$code .= "<br><input type=checkbox name='image_remove' value='1'> <b class=Error>" . $Translation["remove image"] . "</b>";
}
$code .= " </td></tr>";
/* $code .= "\n\t<tr><td class=TableHeader valign=top><div class=TableHeader style='text-align:right;'>Userid</div></td><td class=TableBody width=300>" . $row['userid'] . " </td></tr>";
*/
$code .= "</table></td></tr></table>";
return $code;
}
?>